Patch Tuesday Bottomline – May 2010

Microsoft’s release for May 2010 contains 2 Bulletins (MS10-030 and MS10-031) fixing 2 vulnerabilities, one of its low impact releases. MS10-031 is for Microsoft Office and addresses a remote code execution vulnerability present in all versions, Office XP, 2003 and 2007. Its exploitability index is 2, so exploit code within the next 30 days is unlikely. Microsoft’s blog post at the SRD goes into further detail on the difficulties in writing a working exploit. While the bulletin only carries a severity of "important", we consider it to be the more urgent of today’s release.

The second bulletin MS10-030 fixes a vulnerability in Windows Outlook Express and Windows Mail, both mail clients for the POP/IMAP protocols. The vulnerability allows remote code execution and is classified as "critical". Successful exploitation however is unlikely (exploitability index = 2) as it requires extensive user involvement including setting up an e-mail account on a malicious server. We don’t see Outlook Express/Windows Mail being used in the enterprise but smaller businesses could be affected.

Microsoft did not address the recent SharePoint vulnerability (KB983438). We recommend looking into the advisory and implementing the suggested work-around which restricts the access to the Help functionality in SharePoint.